Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Security Log For Confluence - Match Username to IP Address

Dalectric
Dalectric
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 3, 2018

I need to identify the IP addresses that users are accessing my Confluence server from so that I can correctly filter them out in Apache.

JIRA already has an excellent log file which I can use for this (atlassian-jira-security.log) as detailed in 

https://confluence.atlassian.com/adminjiraserver073/logging-and-profiling-861253813.html

  • Security-related information (e.g. login, logout, session creation/destruction, security denials) is written to atlassian-jira-security.log.

e.g.

2018-07-20 09:36:11,161 http-nio-8080-exec-149 url:/rest/dev-status/1.0/issue/summary joebloggs 576x346142x1 - 10.12.22.124,221.250.140.12 /rest/dev-status/1.0/issue/summary The user 'joebloggs' has PASSED authentication.

However this log file doesn't exist for Confluence and I can't seem to find a way to generate this information. Ideally I'd like a log entry for when a user passes authentication which includes the IP address they accessed Confluence from.

Is there a way to create this information in my logs on Confluence?

Answer
Watch
Like Be the first to like this
3776 views

2 answers

2 accepted

1 vote
Answer accepted
Dalectric
Dalectric
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 15, 2018

OK I've cracked it. This is all the things I needed to do.

Add the following to server.xml before </Engine> where the IP address is that of my server (logs the client's IP address instead of the Apache reverse proxy address)

 <Valve
 className="org.apache.catalina.valves.RemoteIpValve"
 internalProxies="192\.168\.10\.123"
 remoteIpHeader="x-forwarded-for"
 proxiesHeader="x-forwarded-by"
 protocolHeader="x-forwarded-proto"
 />

 In WEB-INF web.xml uncommented the following entry

 <filter-mapping>
 <filter-name>AccessLogFilter</filter-name>
 <url-pattern>/display/*</url-pattern>
 </filter-mapping>

 In WEB-INF/classes log4j.properties uncomment and modify

log4j.category.com.atlassian.confluence.util.AccessLogFilter=INFO, accesslog
log4j.additivity.com.atlassian.confluence.util.AccessLogFilter=false

and added the following near the start of the file under the other appender declarations. The ConversionPattern is customised for my needs from the standard declaration.

log4j.appender.accesslog=org.apache.log4j.RollingFileAppender
log4j.appender.accesslog.Threshold=DEBUG
log4j.appender.accesslog.File=${catalina.home}/logs/atlassian-confluence-access.log
log4j.appender.accesslog.MaxFileSize=20480KB
log4j.appender.accesslog.MaxBackupIndex=5
log4j.appender.accesslog.layout=com.atlassian.confluence.util.PatternLayoutWithStackTrace
log4j.appender.accesslog.layout.ConversionPattern=%d %p [%t] %m%n

In the Windows service added the following line (forces IPv4 address as I was getting 0:0:0:0:0:0:1 IPv6 address)

-Djava.net.preferIPv4Stack=true

And now I have a new log file which gives date and time of access along with the username and client IP address

2018-08-15 11:11:23,020 INFO [http-nio-8090-exec-4] joebloggs GET https://con-testsvr/display/CT/task+list 5837972-291988 2587 192.100.22.102

 Thanks to @Zak Laughton for pointing me in the right direction

View More Comments
Dalectric
Dalectric
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 28, 2019

Changing the url-pattern to only record the index.action which happens after a user logs in has reduced the size of the log file

<filter-mapping>
  <filter-name>AccessLogFilter</filter-name>
  <url-pattern>/index.action</url-pattern>
</filter-mapping>
Like
Reply
1 vote
Answer accepted
Zak Laughton
Zak Laughton
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 6, 2018

Hi Dalectric,

You can log user access along with their IP address by enabling User Access Logging in Confluence. See How to Enable User Access Logging.

-Zak

View More Comments
Dalectric
Dalectric
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 7, 2018

Thanks, I can see I can get close to what I require, but I can't seem to return the IP address, With the default values I get

2018-08-07 10:00:15,845 INFO [localhost-startStop-1] [atlassian.confluence.util.AccessLogFilter] init AccessLogFilter initialized. Format is: <user> <url> <starting memory free (kb)> +- <difference in free mem (kb)> <query time (ms)> <remote address>
2018-08-07 10:00:25,462 INFO [http-nio-8090-exec-3] [atlassian.confluence.util.AccessLogFilter] doFilter - GET https://ukcov-con/pages/viewpage.action 7702577-374790 1084 0:0:0:0:0:0:0:1
2018-08-07 10:00:30,744 INFO [http-nio-8090-exec-11] [atlassian.confluence.util.AccessLogFilter] doFilter - GET https://ukcov-con/login.action 7161220-397312 4636 0:0:0:0:0:0:0:1
2018-08-07 10:00:34,308 INFO [http-nio-8090-exec-8] [atlassian.confluence.util.AccessLogFilter] doFilter - POST https://ukcov-con/dologin.action 6568665-32595 807 0:0:0:0:0:0:0:1
2018-08-07 10:00:49,609 INFO [http-nio-8090-exec-4] [atlassian.confluence.util.AccessLogFilter] doFilter joebloggs GET https://ukcov-con/pages/viewpage.action 6536070+1184355 15273 0:0:0:0:0:0:0:1

Looking at the JIRA setting I see it has a specific API for handling this in 

https://docs.atlassian.com/DAC/javadoc/jira/reference/com/atlassian/jira/util/log/Log4jKit.html

And you can see this in the log file setup on JIRA

log4j.appender.securitylog.layout.ConversionPattern=%d %t %X{jira.username} %X{jira.request.id} %X{jira.request.assession.id} %X{jira.request.ipaddr} %X{jira.request.url} %m%n

There doesn't appear to be the same API for Confluence so how can I add the IP address to the output log file for Confluence?

(I'm plugging away at this so if I find a way I'll post up the answer)

Like
Dalectric
Dalectric
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 13, 2018

Looking at the this some more it seems that my remote address is coming through as IPv6 (0:0:0:0:0:0:0:1) and not IPv4 shown in the example (127.0.0.1). Any ideas why this would be?

Like
Dalectric
Dalectric
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 13, 2018

Adding the following line to my Java options forced it to IPv4 format

-Djava.net.preferIPv4Stack=true

However the IP address is always the Confluence server address. Possibly due to the Apache reverse proxy that's in place. Further investigation ongoing. 

Like
Dalectric
Dalectric
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 14, 2018

An alternative is to add the following to the server.xml before the </Engine> tag, and it does what I need, but it generates a lot of entries as each element from a page creates a log entry. That means the files will grow to a very large size very quickly. 

 <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="conf_access_log" 
 fileDateFormat="-yyyyMMdd" suffix=".log" 
 pattern="%t %a %l %{X-Forwarded-For}i %{X-AUSERNAME}o &quot;%{Referer}i&quot; &quot;%r&quot; %b" 
 resolveHosts="false"/>
Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events